Education software giant PowerSchool has started notifying individuals in the U.S. and Canada whose personal data was exposed in a late December 2024 cyberattack.

Though this is a step forward, the company has still not officially disclosed the exact number of individuals impacted by the security incident.

Moreover, a detailed report on what exactly has happened, expected by CrowdStrike, who is involved in the investigations, continues to be overdue.

The PowerSchool cyberattack

PowerSchool is a cloud-based K-12 software provider serving over 60 million students and 18,000 customers worldwide, offering enrollment, communication, attendance, staff management, learning, analytics, and finance solutions.

In December, the company suffered a breach where attackers gained unauthorized access to one of its customer support portals, PowerSource, and stole sensitive data from 6,505 school districts.

The stolen data includes varying types of information per district, including full names, physical addresses, contact information, Social Security numbers (SSNs), medical data, and grades.

Although the company alleged that the incident only impacted a subset of customers, a threat actor claimed in their extortion demand that they stole data of 62,488,628 students and 9,506,624 teachers, indicating the scope of the breach was all but limited.

In an update published on the PowerSchool website yesterday, the company says it has started notifying individuals affected by the data breach.

This includes current and former students, if applicable, their parents and guardians, and also educators in the U.S., Canada, and abroad.

"PowerSchool began the process of filing regulatory notifications with Attorneys General Offices across applicable U.S. jurisdictions on behalf of impacted customers who have not opted-out of our offer to do so," reads the status update.

"PowerSchool has also started the process of notifying Canadian regulators. We will provide a separate update to our international customers later this week."

PowerSchool has already shared a sample notification with Maine's Attorney General's office, which states that 33,488 people were impacted in that state. However, it does not include the total number of affected people.

Depending on the school district, the data breach notifications will alert individuals if their Social Security Numbers and medical information were stolen, which does not appear to be the case for Maine residents.

The company offers impacted students and teachers free two-year identity theft protection services and credit monitoring for adults.